How to improve the relationship between developers and security teams and strengthen application security

0

Chris Wysopal shared a history lesson on the evolution of application security and tips on how to make all applications more secure.

Veracode CTO Chris Wysopal shared highlights of his application security career at an OWASP event, including his testimony to Congress in 1998 as a member of The L0ft hacking collective.

Image: Chris Wysopal

In December 1996, application security expert Chris Wysopal released his first vulnerability report. He discovered that data could be modified or deleted in Lotus Domino 1.5 if permissions were not set correctly or if URLs were changed. This security risk – broken access control – is the number one risk on The OWASP 2021 Top 10 list application security risks.

“We know this problem very well and knowing the problem does not solve the problem,” he said.

Wysopal, who is the CTO and co-founder of Veracode shared a brief history of his time as an application security researcher, his time with The L0ft hacker collective to testify before Congress for doing security consulting with Microsoft in the early 2000s. Wysopal spoke during a speech at The OWASP 20th Anniversary Event, a free, live 24-hour event that takes place on Fridays.

Wysopal said he started out as an outsider in the tech world, which gave him a unique perspective on reporting issues that software engineers, business leaders and government officials didn’t see. Over the past 25 years, appsec researchers have shifted from outside reviewers to professional colleagues working with software engineers to improve security.

SEE: How DevOps Teams Take on a More Central Role

“As William Gibson said,” The future is unevenly distributed, and I think we can learn from the past and learn from those who are already living in the future, “he said.

He shared tips on how to forge a closer working relationship between developers and security experts, as well as how the appsec profession has evolved over the years.

Building relationships to improve safety

Wysopal said he sees the latest evolution of appsec as security experts becoming official members of the software development team.

“Success is being part of a team that ships secure code on time, strives to continually improve the process, and does less work for the same secure result,” he said.

Wysopal said a strong relationship between the two teams is another key to making appsec work. Individual developers and members of the security team should consider these questions and find the answers:

  • Who is your development or security peer?
  • Do you meet them?
  • Do you understand each other’s goals?
  • Are you sympathetic to each other’s struggles?

Another key to success is ensuring shared responsibility between the security and software engineering groups:

  • How do you establish the common goal of shipping secure software on time?
  • What can the security team do to make sure the development team doesn’t have to slow down?
  • What can the development team do to help the security team test faster?

“In addition, this responsibility needs to be measured and reported,” he said.

wysopal-flawclosuretime-01.jpg

Veracode CTO Chris Wysopal explained the impact of security measures on closing software vulnerabilities during an OWASP event.

Image: Chris Wysopal

Wysopal said some apps, by their very nature, are more difficult to secure than others. His team takes into account both the nature and development of each application when working to improve security.

The ideal environment for easy-to-secure applications looks like this:

  • Small organization
  • Small application
  • Low defect density
  • New application

It’s harder to secure older, larger applications with high defect densities built in large enterprises, Wysopal said.

In terms of developing secure applications, development teams use frequent scans and a variety of types of scans. Static and infrequent scans make it difficult to improve application security.

wysopal-flawclosuretime-02.jpg

Veracode CTO Chris Wysopal presented this graph during his keynote address to illustrate the time it takes to resolve a software flaw depending on the type of environment an application exists in.

Image: Chris Wysopal

Wysopal also shared some tips on how changing security practices can improve appsec, whether an application is easy or difficult to secure. In a good environment, security best practices can reduce the half-life of a vulnerability from 25 to 13 days. In a less than ideal environment, improving security practices can reduce the half-life of a vulnerability by more than four months.

The evolution of appsec

After posting their first vulnerability report, Lotus acknowledged the issue on their homepage, explained how they fixed it, thanked them for finding the issue, and thanked them for doing so. , said Wysopal.

“There was a new feeling that some developers actually enjoyed vulnerability research even in 1996, and it made us think maybe we should talk to the developers,” he said.

He and his fellow hacker Mudge (Peiter Zatko) have started talking to software companies, including Microsoft, about researching the vulnerabilities. In May 1998, he and his colleagues at L0ft testified at a congressional hearing, “Weak computer security in government”.

“It has awakened the world that industry and government need to work with vulnerability researchers,” he said.

Then, in November 2001, Wysopal received an email regarding the launch of OWASP. The next phase was to work with the engineers at Microsoft and the next challenge was to move from being an outside reviewer to working with developers.

The first tools were designed for appsec researchers, not developers, and that meant developers weren’t using those tools to improve security, Wysopal said.

Appsec teams had to do more than just find loopholes, as this approach angered developers and blocked progress.

“We had to walk lightly or nothing would be fixed at all,” he said. “This approach could have been a step back in the early days of automation.”

The focus then shifted to problem solving with a focus on training, sample repairs and secure libraries, he said. This was the start of the modern appsec.

“One of the best things that has happened to appsec is the process shift to agile and
DevOps

“, he said.” It was really a force function to modernize the way appsec works. ”

Also look


Source link

Leave A Reply

Your email address will not be published.